CVE-2025-48074

OpenEXR provides the specification and reference implementation of the EXR file format, an image storage format for the motion picture industry. In version 3.3.2, applications trust unvalidated dataWindow size values from file headers, which can lead to excessive memory allocation and performance degradation when processing malicious files. This is fixed in version 3.3.3.

Database specific

{
    "cna_assigner": "GitHub_M",
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2025/48xxx/CVE-2025-48074.json",
    "cwe_ids": [
        "CWE-770"
    ]
}

References

Affected packages

Git / github.com/academysoftwarefoundation/openexr

Affected ranges

Type

GIT

Repo

https://github.com/academysoftwarefoundation/openexr

Events

Introduced

55d1a1404cec5b4b187009d9f7fe55a5622ac4e5

Fixed

da760aa4b6bee4b9d74b8c6a151221b035fc47b7

Database specific

{
    "versions": [
        {
            "introduced": "3.3.2"
        },
        {
            "fixed": "3.3.3"
        }
    ]
}

Affected versions

v3.*

v3.3.2

v3.3.2-rc4

v3.3.3-rc

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48074.json"

Git / github.com/openexr/openexr

Affected ranges

Type

GIT

Repo

https://github.com/openexr/openexr

Events

Introduced

Last affected

55d1a1404cec5b4b187009d9f7fe55a5622ac4e5

Database specific

{
    "versions": [
        {
            "introduced": "0"
        },
        {
            "last_affected": "3.3.2"
        }
    ]
}

Affected versions

Other

OPENEXR_1_0_4

v1.*

v1.7.1

v2.*

v2.0.0

v2.0.0.GM

v2.0.1

v2.1.0

v2.3.0

v2.4.0

v2.4.0-beta.1

v2.5.0

v3.*

v3.0.0-beta

v3.2.0-rc

v3.3.0

v3.3.0-rc

v3.3.0-rc1

v3.3.0-rc2

v3.3.1

v3.3.1-rc

v3.3.2

v3.3.2-rc

v3.3.2-rc2

v3.3.2-rc3

v3.3.2-rc4

Database specific

source

"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2025-48074.json"